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Field of the Invention 

The present invention relates to pseudo random numbers generations and in 
particular to a method for generating a sequence of chaos-based pseudo random 
numbers and a relative hardware implementation thereof 

5 Background of the Invention 

Pseudo-random number generators (PRNG) are useful in every applications that 
use Monte Carlo methods and also in cryptography [1]. PRNGs are algorithms 
implemented on finite- state machines for generating sequences of numbers which 
appear random-like under many aspects. These sequences are necessarily periodic 
10 but their periods are very long, they pass many statistical tests and they may be 
easily implemented with simple and fast software routines. 

Chaotic systems may be used either in cryptography (see r2 Xkjra2001 ]) and in 
generating pseudo-random numbers. For example, in a series of papers [3], a 
chaos derived pseudo-random number generator has been proposed. It has been 
15 numerically observed that the average cycle and transient lengths grow 
exponentially with the precision of implementation, and from this fact it has been 
deduced that using high-precision arithmetic it is possible to obtain PRNGs which 
are still of cryptographic interest. The usual statistical tests applied to PRNGs for 
use in Monte Carlo simulations are generally simple. 

20 In cryptography, PRNG should not only have good statistical properties, but also 
be "cryptographically secure", i.e. given a sequence of pseudo random bits it 
should be impossible to predict the next number of the sequence with a 
probability much greater than 1/2. For this reason, PRNGs suitable for 
cryptographic applications must pass the next-bit test. 

25 The actual cryptographically secure PRNG are not computationally efficient. 
Then they are used only for highly critical off-line operations, while for on-line 
tasks (like stream ciphers) fast but not secure PRNG are employed. The drawback 
of this fact is that stream ciphers can be attacked by exploiting the weakness of 
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their PRNG. 

Statistical properties of binary sequences generated by class of ergodic maps with 
some symmetrical properties are discussed in [4]. The authors derived a sufficient 
condition for this class of maps to produce a sequence of independent and 
5 identically distributed binary random variables. However, the implementation of 
these maps on finite-state machines and the consequence this implementation may 
have on the randomness of the generated sequences have not been discussed. 

For a better comprehension of a possible field of application of the invention, a 
brief introduction to the basic concepts of pseudo-random bit generations is 
10 provided, according to the approach of [1] (see also [5]). 

Definition 1 A (truly) random bit generator is a device which outputs a sequence 
of statistically independent and unbiased binary digits. 

A random bit generator can be used to generate random numbers. For a chaos- 
based generator of truly random bits see [6]. 

15 Definition 2 A pseudo-random bit generator (PRBG) is a deterministic algorithm 
which, given a truly random binary sequence of length k, outputs a binary 
sequence of length I » k which "appears" to be random. The input of the PRBG 
is called the seed, while the output of the PRBG is called a pseudo-random bit 
sequence 

20 Definition 3 A pseudo-random bit generator is said to pass all polynomial-time 
statistical tests if no polynomial-time algorithm can correctly distinguish between 
an output sequence of the generator and a truly random sequence of the same 
length with probability significantly greater that 1/2. 

Definition 4 A pseudo-random bit generator is said to pass the next-bit test if 
25 there is no polynomial-time algorithm which, on input of the first I bits of an 
output sequence s, can predict the (/ + 1)5/ bit of s with probability significantly 
greater than 1/2. 
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In this case a PRBG is said unpredictable. 

Theorem 1 A pseudo-random bit generator passes the next-bit test if and only if it 
passes all polynomial-time statistical tests. 

Definition 5 Let G = {G n ,n>\ be an ensemble of generators, with 

5 G n : {0,l} n -» {0,1}^"^ , where p( ) is a polynomial satisfying n + 1 < p{n) <n c +c 
for some fixed integer c. We say that G is a ayptographically secure pseudo- 
random bit generator if 

- There is a deterministic polynomial-time algorithm that on input of any n-bit 
string outputs a string of length p(n). 
10 - For sufficiently large n t the generator G„ passes the next-bit test 

All above definitions and the theorem are informal. For a formal definition of 
statistical test (definition 3), see Yao [7]. The notion of cryptographically secure 
pseudo-random bit generator was introduced by Blum and Micali [8]. The 
theorem 1 (universality of the next-bit test) is due to Yao [7]. 

15 The last three definitions above are given in complexity-theoretic terms and are 
asymptotic in nature because the notion of "polynomial-time" is meaningful for 
asymptotically large inputs only. Therefore, the security results for a particular 
family of PRBGs are only an indirect indication about the security of individual 
members. 

20 Blum and Micali [8] presented the following construction of cryptographically 
secure PRBG. Let D be a finite set, and let / : D->D be a permutation that can be 
efficiently computed. Let B : D— >{0, 1} be a Boolean predicate with the property 
that B(x) is hard to compute given only xeZ), however, B(x) can be efficiently 
computed given y =/ 1 (x). The output sequence z\, z% z t corresponding to the 

25 seed xo^D is obtained by computing x t =y(x ; .i), z, = B(x t \ for 1 < 1 < /. 

Blum and Micali [8] proposed the first concrete instance of cryptographically 
secure PRBG. Let p be a large prime. Define D = Z p * = {1, 2, p - 1} and a a 
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generator of Z p *. The function / : D-+D is defined by fix) = of . mod p. The 
- -function J? : 1}. is defined by 5(x) =^1 if 0<iog a x<(/?-l)/2 and B(x) = 0 

if log ff x >(/? - 1)/2 . Assuming the intractability of the discrete logarithm problem 
in Z p *, the Blum-Micali generator was proven to satisfy the next-bit test. Other 
5 examples of cryptographically secure PRBGs are RSA generator [9] and Blum- 
Blum- S hub generator [10]. 

Linear congruential generators 

A linear congruential generator produces a pseudo-random sequence of numbers 
xi, x% ... according to the linear recurrence 

10 x n = (ax n _ x + Z>)mod m, n > 1 

Integers a, b and m are parameters which characterize the generator, while xq is 
the seed. Generators of this form are widely used in Monte Carlo methods, taking 
x i jm to simulate uniform draws on [0, 1 ]. 

For a study of linear congruential generators, see Knuth [11]. Plumstead [12] and 
15 Boyar [13] showed how to predict the output sequence of a linear congruential 
generator given only a few elements of the output sequence, and when the 
parameters a, b f and m of the generator are unknown. Boyar [13] extended her 
methods and showed that linear multivariate congruential generators, 

X n =( a \ X n-\ + a 2 X n-2 + - - - + <*1 X n~J ) ™ 

20 and quadratic congruential generators, 

x n = +**„-i +c)modw 

are cryptographically insecure. Krawczyk [14] showed how the output of any 
multivariate polynomial generator can be efficiently predicted. A truncated linear 
congruential generator is one where a fraction of the least significant bits of x, are 
25 discarded. Frieze et al. [15] showed that these generators can be efficiently 
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predicted if the parameters a, b, and m are known. Stern [16] extended this 
method to the case where only m is known. Boyar [17] presented an efficient 
algorithm for predicting linear congruential generators when 0(log log m) bits are 
discarded, and the parameters are unknown. 

5 No efficient prediction algorithms are known for truncated multivariate 
polynomial congruential generators. 

Object and Summary of the Invention 

It has been found a method of generating a sequence of a chaos-based pseudo- 
random numbers and hardware pseudo-random bit generators easy to realize. The 
10 sequence of numbers is practically unpredictable and at the same time may be 
generated using very simple functions. 

The known methods of generating cryptographically secure (or unpredictable) 
pseudo-random numbers are based on the use of complicate functions whose 
inverse is well-defined but is hard to compute. According to the common 
15 knowledge this is necessary, because otherwise it would be easy to predict the 
numbers of a pseudo-random sequence. 

As a consequence, known methods are relatively slow and hardware generators 
that implement them have a quite complex architecture. 

On the contrary, the method of the invention consists in generating pseudo- 
20 random numbers by using simple functions, but their inverse is not a well-defined 
function and has a large number of branches, although the inverse could be easily 
computed on each particular branch. 

More precisely, an object of the present invention is a method of generating a 
chaos-based pseudo-random sequence comprising the steps of: 
25 - defining a chaotic map for generating a pseudo-random sequence of integer 
numbers comprised in a certain interval; 
- defining a function on the first interval whose inverse has a plurality of 
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branches; 

, _ choosing a seed of the pseudo-random sequence 'of integer numbers comprised 

in the interval; 

- generating numbers of the pseudo-random sequence; 

5 - calculating numbers of a chaos-based pseudo-random sequence by applying 
the function to corresponding integer numbers of the pseudo-random 
sequence. 

This method is preferably used for generating chaos-based pseudo-random bit 
sequences and may be implemented in a hardware generator of chaos-based 
pseudo random bit sequences, comprising: 

- circuit means for storing bit strings representing integer numbers of the 
pseudo-random sequence; 

- a shift register coupled to the circuit means; 

- a command circuit generating shift commands for the shift register; 

- second circuit means for storing the bits output by the shift register; 

- an adder modulo 2 summing the bits stored in the second circuit means, 
generating a bit of the chaos-based pseudo-random bit sequence; 

- a second adder summing up the bit strings currently stored in the shift register 
and in the first circuit means, generating a bit string representing a successive 
number of the pseudo-random sequence. 

The invention is more precisely defined in the annexed claims. 

Brief Description of the Drawings 

The different aspects and advantages of the invention will appear even more 
clearly through the following description referring to the attached drawings, 
25 wherein: 

Figure 1 is a diagram describing in a basic manner a preferred embodiment of the 
method of the invention for generating chaos-based pseudo-random bit sequences; 
Figure 2 is a hardware generator implementing an embodiment of the method of 
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the invention; 

Figure 3 is a particular embodiment of a hardware generator of the invention 
implementing the method described in Figure 1 for k=2. 

Description of Several Embodiments of the Invention 

In order to illustrate in a easy manner the gist of the invention, let us refer to the 
following sample algorithm for generating a sequence of (real) numbers X\ t X% .... 

First of all, a chaotic map is chosen: 



where n = 0, 1, x 0 e[0, 2' n ],p > 2 m 7 p is an odd integer. The generic term X n of 
the sequence is given by 



Is the sequence X 2 , ... predictable? In other words, knowing a finite number of 
elements of this sequence, say X j9 Xj+i, A/hm 9 is it possible to. predict the 
previous and the next elements of the sequence: Xj.\ and J^+jt? 

T,et us start our discussion from the simplest case: p = 3 and m = 1. Using the 
following well known relations 




0) 



X n =H(x n ) = sin 2 (x n ) 



(2) 





and 



sin 2 (3a) = sin 2 (a)- [3 - 4sin 2 (a)] 2 



we find 



(2^ +1 -l) 2 + ^(3-4X M ) 2 =l 

It is easy to show that for almost all X n there are 2 equally likely values for X n v\. 
In a similar way, for almost all X n +\ there are 3 equally likely values for X„. 
Furthermore, the number of points X f for which there are less than 2 values of X i+ \ 
5 (or less than 3 values of Xa) is finite. 

This result can be generalized for arbitrary p and m. After a simple algebra we 
find a functional relation between X n and X n +\\ 

[2-2((2X„ +1 - 1) 2 - 1) 2 if +F„(X) = 1 (3) 

where the first term in the left-hand side of this equation is polynomial of order 2 m 
10 and F p is the /?-th order Chebyshev map. Thus, for arbitrary m and almost all x 0 , 
equation (3) has 2 m solutions for X „+i when X„ is known and p solutions for X n 
when Xn+\ is known. Therefore, for large m and almost all x 0 the sequence {X^ 
is one-step unpredictable: for any element Xk in the sequence {X t }J° one can only 
guess with probability l/2 m (among 2 m equally distributed values of X k+ i) what is 
15 next element^+i and with probability \/p (among/? equally distributed values of 
X k .\) what was the previous element Xk.\. The set of initial conditions x 0 for which 
the above statement does not hold is finite. 

What are the properties of the sequence X h X% ...? The map HQ in (2) is not a 
distribution preserving map and thus the output sequence is not equally 
20 distributed. It is possible to avoid this problem using, for example, a periodic tent 
map instead of the sinus function. 

There are much more serious problems related to the sequence X\ 9 X% it has 
been proved that this sequence is 1-step unpredictable, from which does not 
follow that the sequence is k- step unpredictable. In fact, the sequence X\, X% ... is 
25 3-step predictable as follows from the following analysis. 

Let b m ...b\b<ya\a^.. be the binary presentation of xe[0, q], q = 2 m and x = (Z> m , ...b\, 
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&o; a u a% ...). Let us define the functions c(x) and d(x) as c(x) = b m ...b x bo 7 d(x) = 
O.a^a*.. . Suppose to know the value of * c mod q) y where 

ce{0, 1, .... q-l}, r=/?/tf, <y = 2 m , gcd(p,q)=l, p>q 

being gcd(.,.) is the greatest common divider function. 

5 Is the value of c predictable? Let 0.r.i...r. m and c m .\...c\Co be the binary 
presentations of d(r) and c, respectively, and let 0.a\a 2 .„a m be the binary 
presentation of d(r * c mod q). Given that a m = c 0 * r.™ and r. m — 1 (/? must be an 
odd number), it holds that c 0 = a m . Therefore, by knowing the value of a m , c 0 can 
be easily determined. Furthermore, from the relation a m .\ = r. m +i ' c 0 © r. m ' ci and 
10 the previously determined value of c 0 it is possible to determine the value of c\. 
By repeating these arguments, the values of all bits c 0 , Cy, ...c m may be computed. 

Proposition 1 Let ce{0, 1, q - 1} and r = p/q, where p > q, gcd(p t q) — 1, and 
q = 2 m . If we know the value of d((r - c) mod q) t then we can uniquely determine 
the value of c. 

15 We say that the sequence X\, X 2 , X 3 , ... is £-step predictable if there exist X„, X n +u 
... Xn+fri such that knowing them one can predict the values of X n .\ or X n + k . 

Theorem 2 The sequence X\ t Xz X 3 , ... is 3 -step predictable. 

Proof. It holds that X } = H(x x ) y X 2 = H(x 2 ) and X 3 = H(x 3 ). Let d = c(x x ), d x = 
d(x\\ c 2 = c(x 2 ) and d 2 = d(x 2 ). According to the first relation the value of d x is 
20 either d u = arcsini^JX^)^ \p y n/l\ or d\ 2 = n - d\\. Analogously, the value of d 2 is 

either d 2] = arcsin{^[X^)^[0 y 7t/2] ox d?z = n - d 2 \. Furthermore, xi and x 2 are 
related as x 2 = (r * xi) mod q. Therefore we have 

d i = • ( c i + )) m od = d(d((r • c, )mod + </((/■ - rf, )mod q)) (4) 

Let j) denotes the solution of the equation (4 xl-6006r4 ^ if such a solution 
25 exists. There are at most four possible values of xi: 1) + d n , c\(l 9 2) + d Uy 
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ci(2, 1) + d X2 and ci(2, 2) + d\i. The actual value of xi can be determined by 
checking for which of these values, the third member of the sequence is X 3 . Once 
the value of Xi is determined, it is easy to compute all subsequent members X% 

5 There are several ways to generalize equations (1) and (2). First, J{.) in (1) can be 
an arbitrary chaotic map defined on [0, q], where q is a large integer. Second, 
HQ in (2) can be an arbitrary non-periodic function H : [0, q]-^>[0 f 1] such that 

its inverse H~ l Q has q branches. Third, the proof of the theorem 2 uses the fact 
that HQ is a periodic function from [0, q] to [0, 1], but, for example, H() can be 
10 any periodic function H : [0, #]->C, where C is a finite small set, for example 
C = {0,l} . Some of these possibilities are examined hereinafter. 

Cryptographically Secure PRNGs 

The construction of cryptographically secure PRBGs of Blum and Micali [8] is 
based on the assumption that the inverse of a function is a well-defined function 
15 but is hard to be computed. 

On the contrary, according to the method of the present invention, it is possible to 
have cryptographically secure PRNGs (and thus cryptographically secure PRBGs) 
using simple functions H(.) whose inverse is not a well-defined function and has 
large number of branches, although the inverse is ease to compute on a particular 
20 branch. In particular, if the inverse of the function H : [0, q]— >C has q branches, 
even knowing a value X n of the random number sequence X\ 9 X 2 , the 
effectively used value x n such that X n =H(x n ) may be predicted only with a 
probability of l/q 9 that is x„ may be any of the integers of the interval [0, q]. 

This approach is much more convenient than the approach of Blum and Micali [8] 
25 because the function //(.) may be very simple, and thus it may be easily 
implemented for realizing effectively unpredictable sequences of pseudo-random 
numbers. 
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Because of the importance of PRBGs, in the ensuing description reference will be 
made to a preferred embodiment of the invention for generating a pseudo-random 
sequence of bits, but what will be stated could be easily repeated, mutatis 
mutandis, for generators of sequences of pseudo-random numbers. 

5 An objective of the invention is to design a class of pseudo random bit generators 
that use only binary operations and may be implemented as a fast algorithm. To 
keep the connection with the previous description as close as possible, we slightly 
abuse of notation and write X } for the output sequence of bits. 

Let Bm ...bibo-aia*.. be the binary representation of xgI = [0, 2 M ] and x = (pM, 
10 b\, bo; a\, a% ...). Let us define a set 

/ ( ° = {x|x = (b M 7 b 0 ;a X9 a 29 . ,a k ) 

as a set of truncated real numbers in /. Let trunck : and H : /*W{0, 1} be 

two functions defined as follows: 

tn4nc k (x) = (b M ,... 9 b Qy a l7 a 2 ,... 7 a k ) (5) 

15 and 

H(x) = a } @a 2 ®...®a k (6) 

The seed of the generator is the string of 0s and Is of length M + k + 1, which is 
written in the form x 0 = (J>m , b 0y a if a k ). The output of the generator is a 
sequence of bits X\ % X% ... produced as described hereinbelow. 

20 Two sample pseudo-random bit generators are presented. In the first case the next 
bit is generated as: 



x i+1 = trunc 



™* 2M ) ( 7 ) 
*,♦!="(*,«,) (8) 
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In the second case, let the bit X has been produced. The next bit is generated as: 

y/=x l @x i (9) 

x M =truiw k ^- y t mod2"^ (10) 
X M =**(x M ) (11) 

5 In the above equations i = 0, 1, 2... , /?, aw, M, A: are the parameters of the generator, 
X 0 = 0 and 

x, ©X" = 0»i ^ «2 ; ■)© £ = («i ® A «2 © A • • •) 

Equations (7) and (10) are discrete version of (1). An additional parameter M has 
been introduced making in this way the algorithm more flexible: m can be 

10 arbitrary integer, while 2 M should always be a large number. The output of the 
generator is given by (8) or (1 1): instead of the sine function a periodic function H 
defined by (6) is used. Finally, with (9) the initial point (seed) of the generator is 
changed in each iteration. The parameters of the generator have the following 
constrains: p is an arbitrary odd integer such that p > 2 m , Mis an integer such that 

15 M > 64, M » m, m and k are arbitrary integers. 

Simple arguments (not a proof) for an elementary explanation of the 
unpredictability of the generator are given. The next bit X i+X of the generator (or 
the previous bit Jf M ) may be determined only if all bits of x, are known, which is 
however, not possible: x, has the form x, = (cm , Co; d\, ...c k ) and one can only 
20 guess among 2 M equally distributed values what is x,. Moreover, it has been 
numerically verified that the probability p{x^X M X J .^ 2 ...) does not depend on 
the previous generated bits and is equal approximately to 0.5. 

Let G = {G n ,n>\ be an ensemble of generators, with G n : {0,l} rt -> {0,\} pM , 
where pO is a polynomial satisfying n + 1 < p{n) <n c +c for some fixed integer 
25 c. It is well known that: if a cryptographically secure PRBG with p(ri) = n + 1 
exists, then there is a cryptographically secure PRNG with p{ri) = rf + c for each c 
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> 2. Therefore, using all above arguments it is possible to conclude that the 
presented bit generators are cryptographically secure. 

By defining p, m, M and k a particular pseudo-random number generator can be 
realized. Two examples are presented. 

5 Example 1 The generator is defined by equations (7) and (8). The parameters of 
the pseudo-random number generator are: p = 5, m = 2, A/= 256 and k — 2. 

Example 2 The generator is defined with equations (9) t (10) and (11). The 
parameters are: p = 419, m = 8, M= 64 and k = 64. 

Statistical tests cannot prove that a sequence is random, tests can only show that a 
10 sequence is not random. In other words, tests help only to detect certain kinds of 
weaknesses a generator may have. If a sequence passes a finite number of 
statistical tests, it is not guaranteed that the sequence was indeed generated by a 
(truly) random number generator. 

Five standard tests, commonly used for determining whether a binary sequence 
15 has some properties that a truly random sequence would be likely to exhibit, are 
[1]: frequency test, serial test, poker test, runs test and autocorrelation test. Linear 
congruential generators pass standard tests. Additional package of tests was 
proposed in [18] for which standard random number generators (congruential, 
shift-register and lagged-Fibonacci generators) give poor results. 

20 All these tests to the generators described in the previous section have been 
performed and the results are summarized in the following table. 





PRNG1 


PRNG2 


PRNG3 


Birthday Spacings 


FAIL 


pass 


pass 


Overlapping 5-permutation 


FAIL 


pass 


pass 


Binary rank for 31x31 matrices 


FAIL 


pass 


pass 


Binary rank for 32x32 matrices 


FAIL 


pass 


pass 


Binary rank for 6x8 matrices 


FAIL 


pass 


pass 


Bi stream 


FAIL 


pass 


pass 


OPSO 


FAIL 


pass 


pass 
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OQSO 


FAIL 


pass 


pass 


DNA , , 


FAIL 


pass , m 


pass 


Count-the-1 s on a stream of bytes 


FAIL 


pass 


pass 


Count-the-Ts for specific bytes 


FAIL 


pass 


pass 


Parking lot 


FAIL 


pass 


pass 


Minimum distance 


FAIL 


pass 


pass 


3DSpheres 


FAIL 


pass 


pass 


Squeeze 


FAIL 


pass 


pass 


Overlapping sums 


pass 


pass 


pass 


Runs 


pass 


pass 


pass 


Craps 


FAIL 


pass 


pass 



Tab. 1 



PRNG1 is a linear congruential generator with a = 84589, b = 45989, and m — 
217728. The values of the parameters are taken from [19]; we obtain similar 
results with different values for a, b and m. PRNG2 and PRNG3 are generators 
from Examples 1 and 2. 

Description of a hardware generator of the invention 

Once fixed the parameters p, m, k and M of equations 7 and 8 (or of equations 9, 
10 and 11), a hardware Pseudo Random Bit Generator may be easily and 
efficiently implemented. 



Following Example 1 (PRNG2), we take p = 5 9 m = 2, £ = 2 and M = 256. Now 



= b + a, where (in base 2) b = bu „.b\b 0 and a = 0.a\a 2 , and — 1 + — . Then 

2 m 2 2 



1 



• x x | mod 2 M can be rewritten as 



b + ^--b + a + 



2 2 



mod 2 M 



The term -^-A can be obtained by shifting b by 2 bits towards right (i.e., 
2 

-~-b = 00b M ...b 3 b 2 .bib 0 ). Moreover, since the term \-a is less than ~a , it is 

2 2 2 



immaterial with respect to the truncation operation trunc 2 and we can omit it. At 
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last, the mod 2^ operation is simply obtained by discarding the overflow of the M 



(2^ x% j mod 2 " ) is substantiall y 



bit summation. Therefore, the quantity trunc k 

the sum between the two bit strings b^ • b^bxbo.aiai + 00b^ ...6362.6160. 

Summing up, the operations involved in the PRNG2 are bit shift, bit sum and 
5 XOR (while, for examples, Micali-Blum generator uses power operators and 
Blum-Blum-Shub generator uses product). Figure 1 depicts the application of the 
equations (7) and (8) at the generic i-th step. 

In the above mentioned figure, the array of bit b' M ...b k Q.a\a } 2 indicates the result of 
the sum between bu ..•b? t b'ib\b<ya\a>i and 006a/ ...6362.6160 and is stored in a 
10 temporary buffer for (the base 2 representation of) x t +\. At the subsequent (/ + l)th 
step, the content of this buffer shall be overwritten on the bits b M ...bzb> 1 b\b§.a\ai. 

A basic realization of a hardware generator of a chaos-based pseudo-random bit 
sequence of the invention is depicted in Figure 2. It comprises a first memory 
buffer MEM in which storing bit strings representing integer numbers x„ of the 
15 PRN sequence, a shift register Rl driven by a command circuit, a second memory 
buffer storing the bits output by the shift register Rl, a first adder ADD1 modulo 
2 and a second adder ADD2. 

Preliminarily, a seed x 0 is stored in the memory buffer MEM; then the desired bit 
sequence X n is generated by repeating cyclically the following steps: 
20 - the content of the first buffer is copied in the shift register Rl ; 

- the command circuit provides a certain number k of shift commands to the 
shift register Rl, which outputs the k least significant bits of the string 
representing the number x„; 

- the bits output by the shift register are stored in the second buffer R2 and are 
25 summed by the first adder modulo 2 ADD1, generating a bit X n of the chaos- 
based pseudo-random bit sequence; 

- the second adder ADD2 sums the bit strings currently stored in the shift 
register and in the memory MEM, generating a bit string representing a 
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successive number x„+i of the pseudo-random sequence which is stored in the 
first buffer MEM. ' • • ■ - • • - • * 

The hardware generator of Figure 2 may be used whichever the number k is. 

A simpler embodiment of a hardware generator of the invention, especially 
designed for implementing the method of the invention for k=2, is depicted in 
Figure 3. Differently from the generator of Figure 2, the register R2 is not present 
and Rl can be a register of any kind. 

Initially, the memory buffer MEM is loaded with a seed x 0 , then according to the 
embodiment of the method of the invention described in Figure 1 the following 
operations are carried out: 

- copying in the register Rl a bit string stored in the memory buffer MEM 
representing a current number x n of the pseudo-random sequence, 

- generating a bit X n of chaos-based pseudo-random bit sequence by summing 
modulo 2 (XORing) the two (k=2) least significant bits of the bit string stored 
in the register Rl, 

- generating a bit string representing a successive number x w+ i of the pseudo- 
random sequence by summing up the bit string representing the current 
number x n and the' bit string obtained eliminating the two least significant bits 
of the bit string stored in the register Rl , 

- storing in the memory buffer MEM the bit string representing the successive 
number x„+i. 

As it will be apparent to the skilled practitioner, once the generator of Figure 3 has 
been realized, it cannot be used for any value of &*2, because it would be 
necessary to change the connections between the register Rl and the cascade of 
adding gates [+] that constitute the adder modulo 2 ADD2. 
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CLAIMS 



1. A method of generating a chaos-based pseudo-random sequence (X n ) 
comprising the steps of: 

defining a chaotic map for generating a pseudo-random sequence of integer 

numbers (x n ) comprised in a certain interval ([0, 
defining a function (H(x)) on said first interval (xe[0, q]) whose inverse has 

a plurality of branches; 
choosing a seed (xo) of said pseudo-random sequence of integer numbers 

(x n ) comprised in said interval ([0, q]); 
generating numbers of said pseudo-random sequence (x„); 
calculating numbers of a chaos-based pseudo-random sequence (X„) by 

applying said function (H(x)) to corresponding integer numbers of said 

pseudo-random sequence (x n ). 

2. The method of claim 1, wherein the inverse of said function (H(x)) has 
a number of branches equal to the largest bound (cf) of said interval ([0, q]). 

3. The method of claim 1, wherein said chaotic map is a linear 
congruential generator. 

4. The method of claim 3, wherein said linear congruential generator is 
defined by: 

choosing a first integer number (m); 

choosing a second odd integer number (p) greater than the power of 2 raised 

to said first integer number (2 m ); 
choosing a third integer number (M) much greater than said first integer 

number (w); 

said chaotic map being defined by the following equation: 



5. A method of generating a chaos-based pseudo-random bit sequence 




l 



(X„) comprising the operations of: 

choosing a function (H(x)) that may assume only two values ( {0,l}); 
generating said chaos-based pseudo-random bit sequence (X„) with the 
method of claim 1 . 

5 6. The method of claim 5, comprising the steps of: 

representing in binary form said integer numbers (x n ) of said pseudo-random 

sequence; 
defining a second integer number k\ 

defining said function (H(x)) as the binary sum of the k least significant bit 
10 of the binary representation of its argument (x). 

7. The method of claim 5, wherein said chaotic map is a truncated linear 
congruential generator. 

8. The method of claim 7, wherein said truncated linear congruential 
generator is defined by: 

15 choosing a first integer number (w); 

choosing a second odd integer number (p) greater than the power of 2 raised 

to said first integer number (2 M )\ 
choosing a third integer number (M) much greater than said first integer 

nn m her ( m\ 

v - - y ? 

20 said chaotic map being defined by the following equation: 



x n+] = trunc 



mod2 M 



9. The method of claim 7, wherein said linear congruential generator is 
defined by: 

choosing a first integer number (w); 
25 choosing a second odd integer number (p) greater than the power of 2 raised 

to said first integer number (2 W ); 
choosing a third integer number (M) much greater than said first integer 
number (m)\ 
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said chaotic map being defined by the following equations: 



x„ +1 = trunc k 



y n =x„®X n 

cr ^ \ \ 
mod2 M 



10. The method according to one of claims 4, 8 or 9, wherein said third 
integer number (M) is greater than or equal to 64. 

5 11. The method of claims 6 and 8, comprising the steps of: 

providing circuit means (MEM) for storing bit strings representing integer 

numbers (x n ) of said pseudo-random sequence; 
providing a shift register (Rl) coupled to said circuit means (MEM); 
storing a seed (*o) in said circuit means (MEM); 
10 carrying out cyclically the following operations: 

- copying in said shift register (Rl) a bit string stored in the circuit means 
(MEM) representing a current number (x n ) of said pseudo-random sequence, 

- providing k shift commands to said shift register (Rl), 

- generating a bit (X n ) of said chaos-based pseudo-random bit sequence by 
15 summing modulo 2 the k bits output by said shift register (Rl), 

- generating a bit string representing a successive number (x„+i) of said 
pseudo-random sequence by summing up the bit string currently stored in 
said shift register (Rl) and the bit string representing said current number 

20 - storing in the circuit means (MEM) the bit string representing said 
successive number (x„+i). 

12. The method of claims 6 and 8, comprising the steps of: 
providing circuit means (MEM) for storing bit strings representing integer 
numbers (x„) of said pseudo-random sequence; 
25 providing a register (Rl) coupled to said circuit means (MEM); 

storing a seed (x 0 ) in said circuit means (MEM); 
carrying out cyclically the following operations: 

- copying in said register (Rl) a bit string stored in the circuit means (MEM) 
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representing a current number (x„) of said pseudo-random sequence, 
- " generating a bit (X„) of said ' chaos-based pseudo-random bit sequence by 
summing modulo 2 the k least significant bits of the bit string stored in said 
register (Rl), 

generating a bit string representing a successive number (x„+i) of said 
pseudo-random sequence by summing up the bit string representing said 
current number (x„) and the bit string obtained eliminating the k least 
significant bits of the bit string stored in said register (Rl), 
storing in the circuit means (MEM) the bit string representing said 
successive number (x„+i). 

13. A generator of chaos-based pseudo random bit sequences for 
implementing the method of claim 12, comprising: 

circuit means (MEM) for storing bit strings representing integer numbers 

(x„) of said pseudo-random sequence; 
a register (Rl) coupled to said circuit means (MEM); 

an adder modulo 2 (XOR) summing the k least significant bits of the of the 
bit string stored in said register (Rl), generating a bit (X„) of said 
chaos-based pseudo-random bit sequence; 

a second adder (ADD2) summing up the bit string representing said current 
number (x„) and the bit string obtained eliminating the k least 
significant bits of the bit string stored in said register (Rl). 

14. A generator of chaos-based pseudo random bit sequences for 
implementing the method of claim 11, comprising: 

circuit means (MEM) for storing bit strings representing integer numbers 

(x„) of said pseudo-random sequence; 
a shift register (Rl) coupled to said circuit means (MEM); 
a command circuit (CONTROL) generating shift commands for said shift 

register (Rl); 

second circuit means (R2) for storing the bits output by said shift register 

(Ri); 



I t 

I 

an adder modulo 2 (ADD1) summing the bits stored in said second circuit 
means (R2), generating a bit (X*) of said chaos-based pseudo-random 
bit sequence; 

a second adder (ADD2) summing up the bit strings currently stored in said 
5 shift register (Rl) and in said first circuit means (MEM), generating a 

bit string representing a successive number (x n+ {) of said pseudo- 
random sequence. 
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"METHOD OF GENERATING A CHAOS-BASED PSEUDO-RANDOM 
SEQUENCE AND A HARDWARE GENERATOR OF CHAOS-BASED 
PSEUDO RANDOM BIT SEQUENCES" 

ABSTRACT 

A method of generating cryptographically secure (or unpredictable) pseudo- 
random numbers uses simple functions whose inverse is not a well-defined 
function and has a large number of branches, although the inverse could be easily 
computed on each particular branch. In this way the sequence of numbers is 
practically unpredictable and at the same time may be generated using very simple 
functions. 

A hardware generator of chaos-based pseudo random bit sequences implementing 
an embodiment of the method comprises: 

- circuit means for storing bit strings representing integer numbers of the 
pseudo-random sequence; 

- a shift register coupled to the circuit means; 

- a command circuit generating shift commands for the shift register; 

- second circuit means for storing the bits output by the shift register; 

- an adder modulo 2 summing the bits stored in the second circuit means, 
generating a bit of the chaos-based pseudo-random bit sequence; 

- a second adder summing up the bit strings currently stored in the shift register 
and in the first circuit means, generating a bit string representing a successive 
number of the pseudo-random sequence. 
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